Editor’s Note: This is part three in a three-part series from the August edition of National Mortgage News magazine about the growing prevalence of business email compromise fraud. Read part one and part two here.

It takes a multipronged approach, through systems and education, by mortgage lenders to stop business email compromise attacks.

After a number of unsuccessful attempts at wire fraud against Gateway Mortgage Group, the Tulsa, Okla.-based lender spent much of its 2017 information technology budget putting up defenses to thwart these types of scams.

It built a layered information security platform “that has really helped us get eyes on this,” said Chief Information Officer Steven Harpe. “We have software in front of our communications system that is looking specifically for things like impersonation attempts or emails that are coming from geographic regions that we don’t do business in.”

Gateway partnered with a company that gave it the ability to write its own programming, Harpe said, adding the first eight months of the roll out was specific to customizing everything to meet its needs.

“If there is one thing that keeps you up at night, it is trying to stay ahead of this,” he said. “The industry is behind the curve. The criminals have the advantage because there’s a lot more of them and it’s almost a frictionless process for them. And it makes peoples’ jobs like mine and others in lender information security harder.”

Steven Harpe, chief information officer of Gateway Mortgage Group

The increase in spam attacks is another worry for Harpe. “They defeat you first by just overwhelming you with spam and then getting your credentials. Then there going to sit and watch your behavior, watch who you’re talking to and then they’re going to impersonate someone.”

Because the fraudsters are monitoring transactions, it is important that settlement agents and lenders have their own information technology controls in place, like two-factor authentication, said Mike Steer, president of Mortgage Quality Management & Research.

Plus, they need to train their employees on how to spot and deal with email phishing scam attempts.

“It is the small things like that then end up saving potential losses,” he said. “The more that [employees] are trained to be aware of certain scams that are out there and items to look for … [and] to stop and think before they act and get themselves into trouble, the more cautious they’re going to be and the more aware they’re going to be.”

In their attempt to escape detection, the perpetrators use multiple bank accounts and/or use multiple names on the same bank account. Some of these accounts may lay dormant for a while, said Ike Suri, CEO of Fundingshield, a firm whose services include account verifications.

“We see some actors requesting the same wires to the same accounts using different names over and over again. It doesn’t mean that it’s for fraud,” said Suri. “The fraudulent accounts usually don’t get too far. The people that are perpetrating these frauds rarely ever keep these accounts open for more than six months because their scam is always going to be found out.”

But just because an account might not be used for a period of time, doesn’t mean it won’t be pressed back into service.

“It’s easy to fake a name on a wire account, anybody can do it. I’m sure a lot of the victims may have even verified names on wire accounts,” he added.

“But what we do, is we verify the people who are behind that, along with the age of the wire account; match the corporate entity that is supposedly listed there along with their addresses, so that they all match up, so we know exactly who we’re dealing with and not just other third parties,” Suri said.

Quote

“The people that are perpetrating these frauds rarely ever keep these accounts open for more than six months because their scam is always going to be found out.”— Ike Suri, CEO of Fundingshield

Fraudsters have taken advantage of lax rules in some states to file “doing business as” names that are similar to legitimate companies. Then, they open a bank account under that name and masquerade as the real company. Without a background check on the bank account, Suri said, problems can arise when fraud victims don’t know whether they’re dealing with the real company or the impostor.

When it came to developing a strategy to fight BEC fraud, Gateway’s Harpe cited Oakland A’s executive Billy Beane of “Moneyball” fame. “His story is spot on here. You can’t win this fight doing things the old way, thinking with old thoughts. You’ve got to win this fight by hiring people with talent, people that know mathematics, people that can help you find the problems before they get to you.

“No one’s immune to it, and if you don’t have the right people and the right tools, you’re going to lose,” Harpe said.